1. Technical Field
Embodiments of the present invention relate generally to data storage and management and more particularly to a method and system for controlling access to data of a tape data storage medium.
2. Description of the Related Art
As the use of data processing systems has become more prevalent, the techniques used to store and manage data produced by such data processing systems have evolved. One mechanism for storing and providing access to such data is the tape storage system. A conventional tape storage system comprises a tape storage drive such as the 3592 Enterprise Tape System provided by International Business Machines Corporation of Armonk, N.Y. and a removable tape data storage medium upon which data may be stored. It is frequently desirable to control access (e.g., to prevent data from being accessed or to otherwise obscure the data's content or meaning) to data stored within such removable tape data storage media in order to prevent unauthorized access.
As removable tape data storage media are, by definition, removable, they are subject to loss, theft, or other circumstances in which the physical possession of the media is compromised. For example, removable tape data storage media are frequently transported from a primary physical site (e.g., where an associated tape storage drive utilized to store data initially within the removable tape data storage media is located) to a secondary physical site (e.g., for archive or interchange purposes). Since the physical possession of tape data storage media is so difficult to control, conventional tape storage systems utilize various logical techniques to prevent unauthorized access to stored data.
One logical, rather than physical, technique for protecting removable tape data storage media-stored data from unauthorized access involves the use of full data encryption utilizing an encryption standard such as the Advanced Encryption Standard (AES) or Data Encryption Standard (DES). Data to be stored within a tape data storage medium is encrypted by a host data processing system using a data encryption key prior to being transferred to an associated tape storage drive such that the original data may not be obtained from the tape storage drive without first performing an inverse “decryption” operation utilizing an associated decryption key. Utilizing a symmetric encryption system or method, a single “symmetric” key is utilized for both the encryption and decryption operations. By contrast, in “asymmetric” encryption systems or methods, distinct, although related keys are utilized for encryption and decryption operations such that it is computationally infeasible to decrypt data which has been encrypted, even when the key utilized for encryption is known.
While full data encryption may be used to provide significant protection to the content of encrypted data, it suffers from a number of significant drawbacks. More specifically, although data encryption protects access to the content or substance of data, it does not prevent access to the encrypted data itself. Accordingly, if an associated decryption key's value were compromised or sufficient computational resources could be applied to analyze the encrypted data, the data's content could be determined. Moreover, the resultant “encrypted” data generated by conventional encryption techniques is relatively random and consequently may not be compressed to the same extent as unencrypted data. The processing and storage of such compression resistant data may incur a significant storage capacity and data processing performance penalty. Additionally, the performance of encryption and decryption operations is so computationally intensive that specialized hardware may be required, causing tape storage drive designers and providers to select between affordability and performance.